0

I am setting up an OpenIDM server that syncs data between an OpenDJ store which is managed by my company and an Active Directory store that is going to be managed by a client-company.

The goal is to not require anything to be installed to the Client's AD instance. This works fine for the most part, but I cannot get the passwords to synch between the two.

I found the guide for password syncing, but that requires an Active Directory plugin (and an OpenDJ one, but that's not such a problem).

Is it possible to set up a system where we can store a user account's password in the OpenDJ store through OpenIDM without needing such a plugin?

It would be acceptable if we can't change the password, only read it, but we need the password in order to set up logging in via OpenAM.

Erik
  • 3,598
  • 14
  • 29
  • Where are the password changes originating? You want to capture passwords that are saved in AD accounts and sync them back to DJ? – Jake Feasel Sep 18 '15 at 13:53
  • Yes, if people can change their AD password with AD itself and it gets synced back to DJ, that would be fine. – Erik Sep 18 '15 at 15:08

1 Answers1

1

Passwords which are changed directly in AD are hashed, and therefore unrecoverable as cleartext. The only way you would be able to get the cleartext password from AD (in order to provision it elsewhere) is by involving some other system before it is hashed. For example, installing the AD Password Plugin on the AD server will intercept the change event and send the cleartext password to OpenIDM (via REST). Similarly you could ask the users to change their password via the OpenIDM UI instead of directly against AD.

Short of either of those options, you would likely have to come up with an alternate architecture that does not rely upon having the password copied to different systems; essentially, you could delegate authentication to AD when needed, leaving the password in that one location. OpenAM should be able to support such a scheme.

Jake Feasel
  • 16,785
  • 5
  • 53
  • 66